Jamf Protect - Alerts
| Id | 6098daa0-f05e-44d5-b5a0-913e63ba3179 |
| Rulename | Jamf Protect - Alerts |
| Description | Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel |
| Severity | High |
| Required data connectors | JamfProtect |
| Kind | NRT |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml |
| Version | 1.0.6 |
| Arm template | 6098daa0-f05e-44d5-b5a0-913e63ba3179.json |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
name: Jamf Protect - Alerts
eventGroupingSettings:
aggregationKind: AlertPerResult
kind: NRT
alertDetailsOverride:
alertTacticsColumnName: Tactics
alertDynamicProperties:
- alertProperty: ProviderName
value: EventVendor
- alertProperty: ProductName
value: EventProduct
- alertProperty: Techniques
value: Techniques
alertSeverityColumnName: EventSeverity
alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
requiredDataConnectors:
- connectorId: JamfProtect
dataTypes:
- jamfprotectalerts_CL
severity: High
customDetails:
Protect_Analytic: EventMessage
JamfPro_Status: JamfPro
TargetBinarySigner: TargetBinarySigningTeamID
TargetbinarySign: TargetbinarySignerType
Related_Binaries: TargetBinaryFilePath
Related_File_hash: TargetBinarySHA256
Protect_Tags: Tags
TargetBinarySignMsg: TargetBinarySigningInfoMessage
Protect_Event_Type: EventType
version: 1.0.6
description: |
'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
relevantTechniques:
suppressionDuration: PT5H
tactics:
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: OSFamily
columnName: DvcOs
- identifier: OSVersion
columnName: DvcOsVersion
entityType: Host
- fieldMappings:
- identifier: Address
columnName: Host_IPs
entityType: IP
- fieldMappings:
- identifier: CommandLine
columnName: TargetProcessCurrentDirectory
- identifier: ProcessId
columnName: TargetProcessId
entityType: Process
- fieldMappings:
- identifier: Algorithm
columnName: algorithm
- identifier: Value
columnName: TargetBinarySHA256
entityType: FileHash
status: Available
suppressionEnabled: false
query: |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
"kind": "NRT",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{EventResultMessage}} - Please investigate",
"alertDisplayNameFormat": "{{EventMessage}} detected on {{DvcHostname}}",
"alertDynamicProperties": [
{
"alertProperty": "ProviderName",
"value": "EventVendor"
},
{
"alertProperty": "ProductName",
"value": "EventProduct"
},
{
"alertProperty": "Techniques",
"value": "Techniques"
}
],
"alertSeverityColumnName": "EventSeverity",
"alertTacticsColumnName": "Tactics"
},
"alertRuleTemplateName": "6098daa0-f05e-44d5-b5a0-913e63ba3179",
"customDetails": {
"JamfPro_Status": "JamfPro",
"Protect_Analytic": "EventMessage",
"Protect_Event_Type": "EventType",
"Protect_Tags": "Tags",
"Related_Binaries": "TargetBinaryFilePath",
"Related_File_hash": "TargetBinarySHA256",
"TargetbinarySign": "TargetbinarySignerType",
"TargetBinarySigner": "TargetBinarySigningTeamID",
"TargetBinarySignMsg": "TargetBinarySigningInfoMessage"
},
"description": "'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'\n",
"displayName": "Jamf Protect - Alerts",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DvcHostname",
"identifier": "HostName"
},
{
"columnName": "DvcOs",
"identifier": "OSFamily"
},
{
"columnName": "DvcOsVersion",
"identifier": "OSVersion"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "Host_IPs",
"identifier": "Address"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "TargetProcessCurrentDirectory",
"identifier": "CommandLine"
},
{
"columnName": "TargetProcessId",
"identifier": "ProcessId"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "algorithm",
"identifier": "Algorithm"
},
{
"columnName": "TargetBinarySHA256",
"identifier": "Value"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml",
"query": "jamfprotectalerts_CL\n| extend\n algorithm = \"SHA256\",\n Host_IPs = tostring(parse_json(DvcIpAddr)[0]),\n Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),\n Tactics = case(input.match.tags has \"Execution\", \"Execution\", input.match.tags has \"Visibility\", \"Visibility\", input.match.tags has \"Persistence\", \"Persistence\", input.match.tags has \"LateralMovement\", \"LateralMovement\", input.match.tags has \"CredentialAccess\", \"CredentialAcccess\", input.match.tags has \"DefenseEvasion\", \"DefenseEvasion\", input.match.tags has \"PrivilegeEscalation\", \"PrivilegeEscalation\", input.match.tags has \"Impact\", \"Impact\", input.match.tags has \"CommandAndControl\", \"CommandandControl\", input.match.tags has \"Discovery\", \"Discovery\", input.match.tags has \"InitialAccess\", \"InitialAccess\", \"\"),\n Techniques = pack_array(extract(@\"[A-Za-z]\\d{4}\", 0, tostring(input.match.tags))),\n JamfPro = case(input.match.actions has \"SmartGroup\", \"Workflow with Jamf Pro\", input.match.actions has \"Prevented\", \"No workflow, Prevented by Protect\", \"No workflow\")\n",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": null,
"techniques": null,
"templateVersion": "1.0.6"
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}